The vulnerability affects Windows 2000-, XP- and Server 2003-based systems. It exists in the way that Visual Basic Scripting, or VBScript, interacts with Windows Help files, Microsoft said in its security advisory. VBScript is an Active Scripting language for executing functions embedded in Web pages.
In an attack scenario, victims would somehow be lured to visit a malicious Web site that displays a specially crafted dialog box, Microsoft said. The box could prompt visitors to press the F1 key, which would install malware on the visitor's computer when pressed. The F1 key is used to bring up the help function.
Windows Vista, Windows 7 and Windows Server 2008 are not affected. The issue is mitigated on Windows Server 2003, where IE Enhanced Security Configuration is enabled by default.
The advisory includes several workarounds, including advice to avoid pressing the F1 key when prompted by a Web site, restricting access to the Windows Help System, setting Internet and Local intranet security zone settings to "high" to block ActiveX Controls and Active Scripting, and configuring IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.
Microsoft complained in its advisory and a statement that the vulnerability was not responsibly disclosed. The hole was revealed last week and proof-of-concept code was released by iSEC Security Research.
Anyone believed to have been affected by the hole can visit Microsoft's Consumer Security Support Center Web site.